At the moment the company I work for has the exchange server on the internal network set up so that it directly recieves inbound smtp connections from the internet. For various reasons I am working on getting a relay set up, probably a smart host. I want to set this up on the DMZ where the web server resides. My question is this. Are there security issues I should be aware of with running an SMTP smart host on the same box as IIS? As far as processing cabability I am not worried, as it is not a busy website. I can unterstand the security mentality of seperating every service on a separate machine so that if one is comprimised, the are less likely to get in to one of the others. However, it does seem like overkill for the small size of our company to be running a web server and and e-mail relay on separate boxes. Any input is appreciated!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Setting up smart host relay
- Thread starter mikestl
- Start date
Well, I think you are on the right path. A windows only guy would say you are on the right path as well.
I would recommend a linux box running postfix. Any small simple box will do, just needs a couple NICs. RedHat or any other flavor of linux you like. There are ample scripts to harden the OS. Postfix is a great little MTA, easy to configure, flexible, and secure as they come. Additinoally, depending on how you configure Postfix, should the exchange server go down, you can quickly install and enable IMAP or POP services on the linux box so that mail can be sent received in the interim.
Personally, I don't know enough to intelligently say one thing or another about the risks of IIS on 2003 and (whatever mail program you'd use), but I do know that most of the vulnerabilities found and exploited are windows based. I also know that the last time someone asked me to put a windows box in the DMZ or on the Internet was back in NT4 days.
I know security through obscurity is a no-no, but any and every little deterrent helps. And, it does diversify your resume...
Robert Liebsch
Stone Yamashita Partners
I would recommend a linux box running postfix. Any small simple box will do, just needs a couple NICs. RedHat or any other flavor of linux you like. There are ample scripts to harden the OS. Postfix is a great little MTA, easy to configure, flexible, and secure as they come. Additinoally, depending on how you configure Postfix, should the exchange server go down, you can quickly install and enable IMAP or POP services on the linux box so that mail can be sent received in the interim.
Personally, I don't know enough to intelligently say one thing or another about the risks of IIS on 2003 and (whatever mail program you'd use), but I do know that most of the vulnerabilities found and exploited are windows based. I also know that the last time someone asked me to put a windows box in the DMZ or on the Internet was back in NT4 days.
I know security through obscurity is a no-no, but any and every little deterrent helps. And, it does diversify your resume...
Robert Liebsch
Stone Yamashita Partners
- Thread starter
- #3
Thanks for the advice. I think I am going to go ahead and go with putting the relay on the web server, and add an extra firewall in order to put the web server in a DMZ. Your suggestion of running postfix would probably be better. I don't feel comfortable enough in my abilities in Linux to be setting up something in a production enviroment though.
- Status
Similar threads
- Locked
- Question